Unfortunately, hardware makers don’t get to enjoy that same luxury. Beyond guaranteeing a product free from workmanship or material defects, consumer protection law often requires an implied or express ‘fitness for purpose’ guarantee – that a piece of hardware is capable of doing what it’s advertised to do. The latest controversy over Spectre/Meltdown indicates that more people than not feel CPU makers like Intel should be liable for these bugs, under the ‘fitness for purpose’ theory.
Open hardware makers should be deeply concerned. Consider if the Raspberry Pi were found vulnerable, and the only fix was to recall hardware units and replace them with a new board. If you had baked a Raspberry Pi into your product, what would happen to your business?
Now consider that open review of documentation greatly increases the rate of bug discovery. Does it make business sense to share documentation with a customer base that will surely sue you for the favour?
There’s no right answer to this situation. We need transparency to make more secure, trustworthy, bug-free systems, but consumers also need to make sure they are not being sold a lemon. The Spectre/Meltdown question merely begs the question, but offers no guidance on the correct answer.
If you think transparency is important to safety and security, rewarding hardware makers for sharing documentation by voluntarily reducing their liability can create a measurable economic incentive, thus encouraging more sharing. On the other hand, if you feel a guarantee for fitness is paramount, then you must accept that what you don’t know can’t hurt you – until it does. In other words, if your policy is to sue developers over bugs, you can’t in the same breath blame them for making bugs harder to find by closing their source.
